security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,379 Commits 1 Branch 57 Tags
4e59fc0dfd2b885d2144a723b4ddeb84e160f3d7
Commit Graph

84 Commits

Author SHA1 Message Date
Jonhnathan 0ffd1ef47f Remove additional backslash 2020-11-19 23:15:38 -03:00
Jonhnathan 351a9920ed Update win_mal_flowcloud.yml 2020-11-19 23:14:44 -03:00
Jonhnathan 266109f3d8 Update win_mal_ryuk.yml 2020-10-27 22:47:41 -03:00
Jonhnathan 514f9ccd28 Update win_mal_ryuk.yml 2020-10-27 22:42:15 -03:00
Jonhnathan dbad6c637f Update av_webshell.yml 2020-10-27 22:35:45 -03:00
Jonhnathan 0afe48a0a0 Update av_relevant_files.yml 2020-10-27 22:34:57 -03:00
Jonhnathan 95da1ec500 Update av_relevant_files.yml 2020-10-27 22:32:16 -03:00
Jonhnathan d3c6d9df31 Update win_mal_ryuk.yml 2020-10-27 22:21:16 -03:00
Jonhnathan 98c7639db7 Update mal_azorult_reg.yml 2020-10-27 22:19:04 -03:00
Jonhnathan 8f4d6f802b Update mal_azorult_reg.yml 2020-10-27 22:18:41 -03:00
Jonhnathan 9fd203e2a3 Update mal_azorult_reg.yml 2020-10-27 22:07:45 -03:00
Jonhnathan 0dfacd1f63 Fix 2020-10-15 20:27:10 -03:00
Jonhnathan 9795c95a9b Update av_webshell.yml 2020-10-15 20:25:34 -03:00
Jonhnathan 345c3c6451 Fix 2020-10-15 20:24:31 -03:00
Jonhnathan 86ade194a4 Fix 2020-10-15 20:22:56 -03:00
Jonhnathan acfe0633e2 Update win_mal_ursnif.yml 2020-10-15 16:18:38 -03:00
Jonhnathan 983e9cb9ae Update win_mal_ryuk.yml 2020-10-15 16:18:14 -03:00
Jonhnathan 8d44548a2c Update win_mal_flowcloud.yml 2020-10-15 16:16:08 -03:00
Jonhnathan ef646e74d8 Update mal_azorult_reg.yml 2020-10-15 16:15:25 -03:00
Jonhnathan 69c90570ec Update av_webshell.yml 2020-10-15 16:14:08 -03:00
Jonhnathan cdaa5ef3a6 Update av_relevant_files.yml 2020-10-15 16:13:22 -03:00
Jonhnathan 7dc720cf13 Update av_password_dumper.yml 2020-10-15 16:11:52 -03:00
Jonhnathan dea145cd5e Update av_exploiting.yml 2020-10-15 16:11:24 -03:00
Ivan Kirillov b343df2225 Further subtechnique updates 2020-06-17 11:31:40 -06:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Brad Kish 422b2bffd7 Fix rules with incorrect escaping of wildcars 
A backslash before a wildcard needs to be escaped with another backslash.
 2020-06-15 13:38:18 -04:00
Florian Roth 9b8f8b7e09 Merge pull request #822 from NVISO-BE/win_mal_flowcloud 
TA410 FlowCloud malware detection
 2020-06-09 17:18:39 +02:00
Remco Hofman a9bf22750a Fixed bad indentation 2020-06-09 16:30:17 +02:00
Remco Hofman 4ce3ea735e TA410 FlowCloud malware detection 2020-06-09 16:21:46 +02:00
Remco Hofman d14d391761 Octopus Scanner malware rule 2020-06-09 16:12:05 +02:00
Florian Roth beb62dc163 fix: condition location 2020-05-15 12:06:34 +02:00
Florian Roth 28dc2a2267 Minor changes 
hints: 
- contains doesn't require wildcards in the strings
- we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day)
- we can use "1 of them" to say that 1 of the conditions has to match
 2020-05-15 11:33:36 +02:00
Trent Liffick 40ab1b7247 added 'action: global' 2020-05-14 23:33:08 -04:00
Trent Liffick 56a2747a70 Corrected missing condition 
learning! fail fast & forward
 2020-05-14 23:18:33 -04:00
Trent Liffick fb1d8d7a76 Corrected typo 2020-05-14 23:04:14 -04:00
Trent Liffick 8aff6b412e added rule for Blue Mockingbird (cryptominer) 2020-05-14 22:58:23 -04:00
Florian Roth 09d1b00459 Changed level to ciritcal 2020-05-11 10:40:23 +02:00
tliffick c98be55d21 Update mal_azorult_reg.yml 2020-05-08 21:31:33 -04:00
tliffick 61f061333b Registry entry for Azorult malware 
Detects registry keys used by Azorult malware
 2020-05-08 21:26:24 -04:00
Florian Roth 30d872f98f Merge pull request #492 from booberry46/master 
Bypass Windows Defender
 2020-01-30 14:27:30 +01:00
Bart a5b4b276d4 Add scriptlets 
Adds .sct and .vbe.
 2019-11-14 22:26:22 +01:00
Thomas Patzke 0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
booberry46 cfe7ddbe5b Update av_exploiting.yml 
Not sure if the '' affects.
 2019-11-06 16:16:49 +08:00
Florian Roth d096ab0e21 rules: AV rules updated to reflect 1.7.2 auf AV cheat sheet 2019-10-04 16:17:34 +02:00
Florian Roth f6fd1df6f4 Rule: separate Ryuk rule created for VBurovs strings 2019-08-06 10:33:46 +02:00
megan201296 eb8a0636c5 Update win_mal_ursnif.yml 
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique.
 2019-04-14 11:51:13 -05:00
Thomas Patzke c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth afa18245bf Merge pull request #254 from darkquasar/master 
adding MPreter as McAfee classifies it
 2019-02-23 07:34:04 +01:00
Thomas Patzke 02239fa288 Changed registry root key 
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
 2019-02-22 21:30:30 +01:00
darkquasar 87994ca46b adding MPreter as McAfee classifies it 
McAfee classifies some Meterpreter events with the "Mpreter" keyword
 2019-02-22 15:22:10 +11:00